From 471ab88b4230c248db4e4cfa46bdee0790429860 Mon Sep 17 00:00:00 2001 From: Kagami Sascha Rosylight Date: Sat, 1 Jul 2023 15:44:03 +0200 Subject: [PATCH] clarify the reason behind dns lookup --- .../backend/src/server/oauth/OAuth2ProviderService.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/backend/src/server/oauth/OAuth2ProviderService.ts b/packages/backend/src/server/oauth/OAuth2ProviderService.ts index 6aad6c5075..93cbaa4035 100644 --- a/packages/backend/src/server/oauth/OAuth2ProviderService.ts +++ b/packages/backend/src/server/oauth/OAuth2ProviderService.ts @@ -49,7 +49,6 @@ function validateClientId(raw: string): URL { // https://datatracker.ietf.org/doc/html/rfc6749.html#section-3.1.2.1 // 'The redirection endpoint SHOULD require the use of TLS as described // in Section 1.6 when the requested response type is "code" or "token"' - // TODO: Consider allowing custom URIs per RFC 8252. const allowedProtocols = process.env.NODE_ENV === 'test' ? ['http:', 'https:'] : ['https:']; if (!allowedProtocols.includes(url.protocol)) { throw new AuthorizationError('client_id must be a valid HTTPS URL', 'invalid_request'); @@ -402,9 +401,10 @@ export class OAuth2ProviderService { const clientUrl = validateClientId(clientID); - // TODO: Consider allowing localhost for native apps (RFC 8252) - // This is currently blocked by the redirect_uri check below, but we can theoretically - // loosen the rule for localhost as the data never leaves the client machine. + // https://indieauth.spec.indieweb.org/#client-information-discovery + // "the server may want to resolve the domain name first and avoid fetching the document + // if the IP address is within the loopback range defined by [RFC5735] + // or any other implementation-specific internal IP address." if (process.env.NODE_ENV !== 'test' || process.env.MISSKEY_TEST_CHECK_IP_RANGE === '1') { const lookup = await dns.lookup(clientUrl.hostname); if (ipaddr.parse(lookup.address).range() !== 'unicast') {